mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-02 12:22:22 +00:00
* feat: Add granular access control to shared links via ACL system * fix(shared-links): preserve isPublic on failed migration grants Transient ACL failures during auto-migration permanently stranded links — $unset ran unconditionally, removing the legacy flag that triggers retry. Now only $unset isPublic after all grants succeed. * fix(config): skip isPublic unset for failed ACL grants Bulk migration unconditionally removed isPublic from all links, even those whose ACL writes failed. Failed links then lost the legacy marker needed for auto-migration retry. Now tracks failed link IDs per-batch and excludes them from the $unset step. Also adds sharedLink to AccessRole resourceType schema enum — was missing, only worked because seedDefaultRoles uses findOneAndUpdate which bypasses validation. * ci(config): add jest config and PR workflow for migration tests config/__tests__/ specs depend on api/jest.config.js module mappings but had no dedicated runner. Adds config/jest.config.js extending api config with absolutized paths, npm test:config script, and a GitHub Actions workflow triggered by changes to config/, api/models/, api/db/, or packages/ ACL code. * fix(permissions): honor boolean sharedLinks config SHARED_LINKS has no USE permission, so boolean config produced an empty update payload — gate conditions only matched object form, making `sharedLinks: false` a no-op on existing perms. * fix(share): resolve role before creating shared link Role lookup between create and grant left an orphaned link without ACL entries if getRoleByName threw — retry then hit "Share already exists" with no recovery path. * fix: Restore Public ACL Access Checks * fix: Type Public ACL Lookup * fix: Preserve Private Legacy Shared Links * chore: Promote Shared Link Permission Migration * fix: Address Shared Link Review Findings * fix: Repair Shared Link CI Follow-Up * fix: Narrow Shared Link Mongoose Test Mock * fix: Address Shared Link Review Follow-Ups * fix: Close Shared Link Review Gaps * fix: Guard Missing Shared Link Permission Backfill * test: Add Shared Link Mock E2E * test: Stabilize Shared Link Mock E2E --------- Co-authored-by: Danny Avila <danny@librechat.ai>
320 lines
10 KiB
JavaScript
320 lines
10 KiB
JavaScript
jest.mock('~/models', () => ({
|
|
getRoleByName: jest.fn(),
|
|
findMCPServerByObjectId: jest.fn(),
|
|
getSkillById: jest.fn(),
|
|
}));
|
|
|
|
jest.mock('~/server/middleware', () => ({
|
|
requireJwtAuth: (req, _res, next) => next(),
|
|
checkBan: (_req, _res, next) => next(),
|
|
uaParser: (_req, _res, next) => next(),
|
|
canAccessResource: jest.fn(() => (_req, _res, next) => next()),
|
|
}));
|
|
|
|
jest.mock('~/server/middleware/checkPeoplePickerAccess', () => ({
|
|
checkPeoplePickerAccess: jest.fn((_req, _res, next) => next()),
|
|
}));
|
|
|
|
jest.mock('~/server/middleware/roles/capabilities', () => ({
|
|
hasCapability: jest.fn(),
|
|
}));
|
|
|
|
jest.mock('~/server/controllers/PermissionsController', () => ({
|
|
getUserEffectivePermissions: jest.fn((_req, res) => res.json({ permissions: [] })),
|
|
getAllEffectivePermissions: jest.fn((_req, res) => res.json({ permissions: [] })),
|
|
updateResourcePermissions: jest.fn((_req, res) => res.json({ success: true })),
|
|
getResourcePermissions: jest.fn((_req, res) => res.json({ permissions: [] })),
|
|
getResourceRoles: jest.fn((_req, res) => res.json({ roles: [] })),
|
|
searchPrincipals: jest.fn((_req, res) => res.json({ principals: [] })),
|
|
}));
|
|
|
|
const express = require('express');
|
|
const request = require('supertest');
|
|
const mongoose = require('mongoose');
|
|
const {
|
|
SystemRoles,
|
|
ResourceType,
|
|
AccessRoleIds,
|
|
PrincipalType,
|
|
PermissionBits,
|
|
PermissionTypes,
|
|
Permissions,
|
|
} = require('librechat-data-provider');
|
|
|
|
const { updateResourcePermissions } = require('~/server/controllers/PermissionsController');
|
|
const { hasCapability } = require('~/server/middleware/roles/capabilities');
|
|
const { canAccessResource } = require('~/server/middleware');
|
|
const accessPermissionsRouter = require('./accessPermissions');
|
|
const { getRoleByName } = require('~/models');
|
|
|
|
describe('Access permissions share policy', () => {
|
|
let app;
|
|
const mockSharedLinkFindById = jest.fn();
|
|
const originalSharedLinkModel = mongoose.models.SharedLink;
|
|
|
|
const resourceId = '507f1f77bcf86cd799439011';
|
|
const sharePolicyCases = [
|
|
{
|
|
label: 'agent',
|
|
resourceType: ResourceType.AGENT,
|
|
permissionType: PermissionTypes.AGENTS,
|
|
accessRoleId: AccessRoleIds.AGENT_VIEWER,
|
|
middlewareOptions: {
|
|
resourceType: ResourceType.AGENT,
|
|
requiredPermission: PermissionBits.SHARE,
|
|
resourceIdParam: 'resourceId',
|
|
},
|
|
},
|
|
{
|
|
label: 'prompt group',
|
|
resourceType: ResourceType.PROMPTGROUP,
|
|
permissionType: PermissionTypes.PROMPTS,
|
|
accessRoleId: AccessRoleIds.PROMPTGROUP_VIEWER,
|
|
middlewareOptions: {
|
|
resourceType: ResourceType.PROMPTGROUP,
|
|
requiredPermission: PermissionBits.SHARE,
|
|
resourceIdParam: 'resourceId',
|
|
},
|
|
},
|
|
{
|
|
label: 'MCP server',
|
|
resourceType: ResourceType.MCPSERVER,
|
|
permissionType: PermissionTypes.MCP_SERVERS,
|
|
accessRoleId: AccessRoleIds.MCPSERVER_VIEWER,
|
|
middlewareOptions: {
|
|
resourceType: ResourceType.MCPSERVER,
|
|
requiredPermission: PermissionBits.SHARE,
|
|
resourceIdParam: 'resourceId',
|
|
idResolver: expect.any(Function),
|
|
},
|
|
},
|
|
{
|
|
label: 'remote agent',
|
|
resourceType: ResourceType.REMOTE_AGENT,
|
|
permissionType: PermissionTypes.REMOTE_AGENTS,
|
|
accessRoleId: AccessRoleIds.REMOTE_AGENT_VIEWER,
|
|
middlewareOptions: {
|
|
resourceType: ResourceType.REMOTE_AGENT,
|
|
requiredPermission: PermissionBits.SHARE,
|
|
resourceIdParam: 'resourceId',
|
|
},
|
|
},
|
|
{
|
|
label: 'skill',
|
|
resourceType: ResourceType.SKILL,
|
|
permissionType: PermissionTypes.SKILLS,
|
|
accessRoleId: AccessRoleIds.SKILL_VIEWER,
|
|
middlewareOptions: {
|
|
resourceType: ResourceType.SKILL,
|
|
requiredPermission: PermissionBits.SHARE,
|
|
resourceIdParam: 'resourceId',
|
|
idResolver: expect.any(Function),
|
|
},
|
|
},
|
|
];
|
|
|
|
const createUpdatedPrincipal = (accessRoleId) => ({
|
|
type: PrincipalType.USER,
|
|
id: 'target-user',
|
|
accessRoleId,
|
|
});
|
|
|
|
const allowSharedLinkSharing = () => {
|
|
getRoleByName.mockResolvedValue({
|
|
permissions: {
|
|
[PermissionTypes.SHARED_LINKS]: {
|
|
[Permissions.SHARE]: true,
|
|
[Permissions.SHARE_PUBLIC]: true,
|
|
},
|
|
},
|
|
});
|
|
};
|
|
|
|
const mockSharedLinkOwner = (ownerId = 'owner-user') => {
|
|
mockSharedLinkFindById.mockReturnValue({
|
|
lean: jest.fn().mockResolvedValue({ user: ownerId }),
|
|
});
|
|
};
|
|
|
|
beforeEach(() => {
|
|
jest.clearAllMocks();
|
|
if (mongoose.models.SharedLink) {
|
|
mongoose.models.SharedLink.findById = mockSharedLinkFindById;
|
|
} else {
|
|
mongoose.models.SharedLink = { findById: mockSharedLinkFindById };
|
|
}
|
|
hasCapability.mockResolvedValue(false);
|
|
|
|
app = express();
|
|
app.use(express.json());
|
|
app.use((req, _res, next) => {
|
|
req.user = { id: 'skill-owner', role: SystemRoles.USER };
|
|
next();
|
|
});
|
|
app.use('/api/permissions', accessPermissionsRouter);
|
|
});
|
|
|
|
afterAll(() => {
|
|
if (originalSharedLinkModel) {
|
|
mongoose.models.SharedLink = originalSharedLinkModel;
|
|
} else {
|
|
delete mongoose.models.SharedLink;
|
|
}
|
|
});
|
|
|
|
it.each(sharePolicyCases)(
|
|
'blocks non-public $label sharing when ACL SHARE passes but role SHARE is disabled',
|
|
async ({ resourceType, permissionType, accessRoleId, middlewareOptions }) => {
|
|
getRoleByName.mockResolvedValue({
|
|
permissions: {
|
|
[permissionType]: {
|
|
[Permissions.SHARE]: false,
|
|
[Permissions.SHARE_PUBLIC]: false,
|
|
},
|
|
},
|
|
});
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${resourceType}/${resourceId}`)
|
|
.send({ updated: [createUpdatedPrincipal(accessRoleId)], public: false });
|
|
|
|
expect(response.status).toBe(403);
|
|
expect(response.body).toEqual({
|
|
error: 'Forbidden',
|
|
message: `You do not have permission to share ${resourceType} resources`,
|
|
});
|
|
expect(canAccessResource).toHaveBeenCalledWith(middlewareOptions);
|
|
expect(updateResourcePermissions).not.toHaveBeenCalled();
|
|
},
|
|
);
|
|
|
|
it('allows non-public skill sharing when both ACL SHARE and role SKILLS.SHARE pass', async () => {
|
|
getRoleByName.mockResolvedValue({
|
|
permissions: {
|
|
[PermissionTypes.SKILLS]: {
|
|
[Permissions.SHARE]: true,
|
|
[Permissions.SHARE_PUBLIC]: false,
|
|
},
|
|
},
|
|
});
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SKILL}/${resourceId}`)
|
|
.send({ updated: [createUpdatedPrincipal(AccessRoleIds.SKILL_VIEWER)], public: false });
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(response.body).toEqual({ success: true });
|
|
expect(updateResourcePermissions).toHaveBeenCalledTimes(1);
|
|
});
|
|
|
|
it('preserves resource management capability bypass for non-public skill sharing', async () => {
|
|
hasCapability.mockResolvedValue(true);
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SKILL}/${resourceId}`)
|
|
.send({ updated: [createUpdatedPrincipal(AccessRoleIds.SKILL_VIEWER)], public: false });
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(response.body).toEqual({ success: true });
|
|
expect(getRoleByName).not.toHaveBeenCalled();
|
|
expect(updateResourcePermissions).toHaveBeenCalledTimes(1);
|
|
});
|
|
|
|
it('still requires SHARE_PUBLIC when enabling public skill sharing', async () => {
|
|
getRoleByName.mockResolvedValue({
|
|
permissions: {
|
|
[PermissionTypes.SKILLS]: {
|
|
[Permissions.SHARE]: true,
|
|
[Permissions.SHARE_PUBLIC]: false,
|
|
},
|
|
},
|
|
});
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SKILL}/${resourceId}`)
|
|
.send({ public: true, publicAccessRoleId: AccessRoleIds.SKILL_VIEWER });
|
|
|
|
expect(response.status).toBe(403);
|
|
expect(response.body).toEqual({
|
|
error: 'Forbidden',
|
|
message: `You do not have permission to share ${ResourceType.SKILL} resources publicly`,
|
|
});
|
|
expect(updateResourcePermissions).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('blocks granting shared-link owner through generic permission updates', async () => {
|
|
allowSharedLinkSharing();
|
|
mockSharedLinkOwner();
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SHARED_LINK}/${resourceId}`)
|
|
.send({
|
|
updated: [
|
|
{
|
|
type: PrincipalType.USER,
|
|
id: 'target-user',
|
|
accessRoleId: AccessRoleIds.SHARED_LINK_OWNER,
|
|
},
|
|
],
|
|
public: false,
|
|
});
|
|
|
|
expect(response.status).toBe(400);
|
|
expect(response.body.message).toBe('Shared link owner permissions cannot be changed');
|
|
expect(updateResourcePermissions).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('blocks granting shared-link owner to the public principal', async () => {
|
|
allowSharedLinkSharing();
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SHARED_LINK}/${resourceId}`)
|
|
.send({
|
|
public: true,
|
|
publicAccessRoleId: AccessRoleIds.SHARED_LINK_OWNER,
|
|
});
|
|
|
|
expect(response.status).toBe(400);
|
|
expect(response.body.message).toBe('Shared link owner permissions cannot be changed');
|
|
expect(updateResourcePermissions).not.toHaveBeenCalled();
|
|
expect(mockSharedLinkFindById).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('blocks removing the canonical shared-link owner', async () => {
|
|
allowSharedLinkSharing();
|
|
mockSharedLinkOwner('owner-user');
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SHARED_LINK}/${resourceId}`)
|
|
.send({
|
|
updated: [],
|
|
removed: [{ type: PrincipalType.USER, id: 'owner-user' }],
|
|
public: false,
|
|
});
|
|
|
|
expect(response.status).toBe(400);
|
|
expect(response.body.message).toBe('Shared link owner permissions cannot be changed');
|
|
expect(updateResourcePermissions).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('allows viewer grants for non-owner shared-link users', async () => {
|
|
allowSharedLinkSharing();
|
|
mockSharedLinkOwner('owner-user');
|
|
|
|
const response = await request(app)
|
|
.put(`/api/permissions/${ResourceType.SHARED_LINK}/${resourceId}`)
|
|
.send({
|
|
updated: [
|
|
{
|
|
type: PrincipalType.USER,
|
|
id: 'target-user',
|
|
accessRoleId: AccessRoleIds.SHARED_LINK_VIEWER,
|
|
},
|
|
],
|
|
public: false,
|
|
});
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(updateResourcePermissions).toHaveBeenCalledTimes(1);
|
|
});
|
|
});
|